{"id":511,"date":"2008-10-17T10:01:40","date_gmt":"2008-10-17T14:01:40","guid":{"rendered":"http:\/\/nuxx.net\/blog\/?p=511"},"modified":"2008-10-17T10:19:50","modified_gmt":"2008-10-17T14:19:50","slug":"restrict-default-ignore","status":"publish","type":"post","link":"https:\/\/nuxx.net\/blog\/2008\/10\/17\/restrict-default-ignore\/","title":{"rendered":"restrict default ignore"},"content":{"rendered":"

In setting up NTP<\/a> on nuxx.net<\/a> I ran into a bit of a problem: time wouldn’t sync. My configuration was fairly simple, following the information on support.ntp.org<\/a> for using the pool of North American<\/a> servers, blocking external access<\/a>, but allowing ntpq<\/tt> (et al) to work from localhost<\/a>:<\/p>\n

\n
server 0.north-america.pool.ntp.org\r\nserver 1.north-america.pool.ntp.org\r\nserver 2.north-america.pool.ntp.org\r\nserver 3.north-america.pool.ntp.org\r\n\r\ndriftfile \/var\/db\/ntp.drift\r\n\r\nrestrict default ignore\r\nrestrict 127.0.0.1<\/tt><\/pre>\n<\/blockquote>\n
However, it seemed that no matter what I tried (disabling the firewall, adding exceptions for TCP\/UDP 123, changing order of the restrict<\/tt> statements, etc) the box wasn’t able to contact its peers:<\/p>\n
\n
c0nsumer@banstyle:~> ntpq -pn\r\n     remote           refid      st t when poll reach   delay   offset  jitter\r\n==============================================================================\r\n 217.160.254.116 .INIT.          16 u    -   64    0    0.000    0.000 4000.00\r\n 209.132.176.4   .INIT.          16 u    -   64    0    0.000    0.000 4000.00\r\n 209.40.97.141   .INIT.          16 u    -   64    0    0.000    0.000 4000.00\r\n 216.14.98.234   .INIT.          16 u    -   64    0    0.000    0.000 4000.00<\/tt><\/pre>\n<\/blockquote>\n
After some more digging I found that the restrict default ignore<\/tt> option, which is widely recommended to keep external folks from connecting to your ntpd, prevents synchronization from happening, even with the exception for localhost.<\/p>\n
Having realized that, my ntp.conf<\/tt> is now just the basic config for the NA servers and the drift file, and it all works great:<\/p>\n
\n
server 0.north-america.pool.ntp.org\r\nserver 1.north-america.pool.ntp.org\r\nserver 2.north-america.pool.ntp.org\r\nserver 3.north-america.pool.ntp.org\r\n\r\ndriftfile \/var\/db\/ntp.drift<\/tt><\/pre>\n<\/blockquote>\n
Yep, it’s syncing just fine:<\/p>\n
\n
c0nsumer@banstyle:~> ntpq -pn\r\n     remote           refid      st t when poll reach   delay   offset  jitter\r\n==============================================================================\r\n*217.160.254.116 18.26.4.105      2 u  200  256   17   37.192    4.619   1.461\r\n 209.132.176.4   66.187.233.4     2 u  201  256   17  101.819   21.118   9.529\r\n 209.40.97.141   192.5.41.40      2 u  197  256   17   38.565  -31.122  21.081\r\n 216.14.98.234   216.218.254.202  2 u  200  256   17   18.731    3.940   4.848\r\n\r\nc0nsumer@banstyle:~> ntptrace\r\nlocalhost: stratum 3, offset 0.004619, root distance 0.043540\r\nserver.donkeyfly.com: stratum 2, offset -0.000686, root distance 0.006361\r\nbonehed.lcs.mit.edu: stratum 1, offset 0.000018, root distance 0.000000, refid 'CDMA'<\/tt><\/pre>\n<\/blockquote>\n
Now I just let pf<\/a> restrict access to NTP. That works just fine.<\/p>\n","protected":false},"excerpt":{"rendered":"
In setting up NTP on nuxx.net I ran into a bit of a problem: time wouldn’t sync. My configuration was fairly simple, following the information…<\/p>\n
Continue readingrestrict default ignore<\/span><\/a><\/div>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,4],"tags":[],"class_list":["post-511","post","type-post","status-publish","format-standard","hentry","category-computers","category-nuxxnet","entry"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/511","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/comments?post=511"}],"version-history":[{"count":14,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/511\/revisions"}],"predecessor-version":[{"id":525,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/511\/revisions\/525"}],"wp:attachment":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/media?parent=511"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/categories?post=511"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/tags?post=511"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}